Joe is the VP of Product Marketing at MixMode. He has led product marketing for multiple cybersecurity companies, with stops at Anomali, FireEye, Neustar and Nextel, as well as various start-ups. Originally from NY, Joe resides outside Washington DC and has a BA from Iona University.
The recently released Third Annual State of SIEM Detection Risk Report from CardinalOps reveals some concerning gaps in enterprise security detection capabilities and highlights clear improvement opportunities. Below are some of the key findings that stood out.
The Detection Coverage Gap
One of the most striking findings is that enterprise Security Information and Event Management (SIEM) systems only have detection coverage for 24% of known MITRE ATT&CK techniques. This means adversaries could potentially leverage around 150 different techniques without being detected by typical SIEM deployments.
This is particularly concerning because organizations already have sufficient data to potentially cover 94% of all MITRE ATT&CK techniques. The gap isn’t from a lack of data – it’s from not having the right detection engineering processes and capabilities in place.
The “Broken Rules” Problem
Another troubling discovery is that, on average, 12% of SIEM detection rules are broken and will never fire alerts. This is due to various issues, including:
- Misconfigured data sources
- Missing fields
- Parsing errors
- Time gaps in scheduling
- Data quality problems
- Infrastructure changes
This creates a dangerous false sense of security, where organizations believe they have detection coverage that doesn’t exist.
The variety of ways rules can break is surprisingly extensive, from mismatched source types and indices to incorrect parsing and scheduling gaps. This reveals a surprising amount of technical debt in SIEM implementations that need ongoing maintenance.
Security Layer Coverage: The Container Blind Spot
The report also revealed interesting patterns in security layer coverage across enterprises:
Strong Coverage (96%)
- Windows
- Network
- Identity & Access Management (IAM)
Moderate Coverage
- Linux/Mac (87%)
- Cloud (83%)
- Email (78%)
- Productivity Suites (63%)
Poor Coverage
- Containers (32%)
The container coverage statistic is shocking, given that 68% of organizations are running containers, according to Red Hat research. This suggests a major blind spot in container security monitoring, possibly due to the challenges of writing high-fidelity detections for dynamic container environments.
Key Recommendations for Security Teams
Based on the report findings, critical recommendations for improving detection capabilities include:
1. Review and Enhance Current Processes
- Audit existing detection coverage and identify false negatives
- Evaluate how use cases are managed and prioritized
- Review detection development processes and timelines
- Implement systematic processes for identifying broken rules
2. Adopt a More Intentional Approach
Security teams should ask themselves:
- What specifically needs to be detected based on business priorities?
- What is actually being detected today?
- Are detections working effectively?
- Are the right data sources being collected?
3. Build Robust Use Case Management
- Set clear organizational goals for increasing detection coverage
- Establish metrics for measuring improvement
- Create timelines for implementing enhancements
- Apply modern DevOps and SRE approaches to SOC operations
4. Leverage Automation
- Automate mundane tasks like MITRE ATT&CK mapping
- Implement automated testing of new detections
- Use automation to validate rule health continuously
- Streamline the detection engineering process
Moving Forward
While SIEMs remain critical to security operations, many organizations fail to maximize their detection capabilities. The good news is that most enterprises already have the necessary data – they just need to focus on:
- Scaling detection engineering processes
- Implementing continuous validation of detection rules
- Addressing blind spots in areas like container security
- Leveraging automation to improve efficiency
- Taking a more systematic approach to detection coverage
By focusing on these areas, organizations can significantly improve their ability to detect and respond to threats while efficiently using their existing security investments and team resources.
MixMode: Enhancing SIEM Capabilities
MixMode can significantly enhance an organization’s ability to leverage existing SIEM investments by addressing the key challenges security teams face, delivering:
- Real-time Threat Detection: Identifies known and novel threats across networks, cloud environments, and identities.
- Predictive Capabilities: Highlights deviations from expected behavior, indicating potential issues or threats that need investigating.
- Threat Prioritization: Identifies and ranks threats based on severity and likelihood of exploitation.
- Alert Correlation: Correlates alerts across disparate security tools to uncover hidden threats and attack chains.
- Data Fusion and Analysis: Fuses and analyzes data from across a network to provide a comprehensive, prioritized view of potential threats.
- No Rules Required: Eliminates the time-consuming process of writing and maintaining rules.
By combining an existing SIEM with MixMode’s AI-powered capabilities, organizations can:
- Improve detection accuracy: Identify threats that your SIEM may be missing.
- Reduce false positives: Minimize the burden on your security team.
- Enhance efficiency: Automate routine tasks and streamline your security operations.
- Strengthen your overall security posture: Protect your organization against a broader range of threats, including AI-generated attacks, ransomware, and other unknown threats.
MixMode is committed to helping organizations get the most out of their existing security investments with advanced threat detection. Contact us today to learn how we can enhance your SIEM capabilities and improve your overall security posture.
Other MixMode Articles You Might Like
Bridging the Gap: The Challenges of IT and OT Convergence
The New Era of Cybersecurity: Gartner’s Vision for Preemptive Defense
The Rise of Cyberattacks on Critical Infrastructure: Are You Prepared?
MixMode Recognized By USA Today As One Of The Top 10 AI Companies To Watch in 2024